Main Vulnerability Database Vulnerabilities #VU66746

#VU66746 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in NodeBB - CVE-2022-36045

Published: August 24, 2022

Vulnerability identifier: #VU66746

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2022-36045

CWE-ID: CWE-338

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
NodeBB

Software vendor:
NodeBB

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to usage of weak pseudo-random number generator within the utils.generateUUID function. A remote attacker can use multiple invocations of the password reset functionality to correctly calculate the reset code and take over an arbitrary account on the website.

Remediation

Install updates from vendor's website.

External links

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-p4cc-w597-6cpm